Components

Application Security Management (IAST)

• Limit the visiting of objects for Trust Boundary Violation (#7847 - @manuel-alvarez-alvarez)
• 🐛 Update header injection exclusions (reduce false positives) (#7821 - @manuel-alvarez-alvarez)
• 🐛 Ensure vulnerabilities are reported with taintable values (#7801 - @manuel-alvarez-alvarez)
• Expand SSRF support in IAST to apache-httpclient, commons-httpclient and okhttp (#7792 - @Mariovido)
• 🐛 Fix String subsequence taint tracking bug (#7778 - @jandro996)
• Attach stacktrace to IAST vulnerabilities (#7757 - @jandro996)

Application Security Management (WAF)

• Update ASM rules to 1.13.2 (#7844 - @ValentinZakharov)
• Update ASM rules to 1.13.1 (#7831 - @ValentinZakharov)
• ✨ Upgrade to libddwaf 1.20.1 (libddwaf-java 11.1.0) (#7828 - @ValentinZakharov)
• Propagate AppSec blocking exceptions from bytebuddy supressions (#7516 - @manuel-alvarez-alvarez)

Build & Tooling

• Remove hadoop from the denylist (#7866 - @andrewlock)

Configuration at Runtime

• 🐛 Fix remote config update operation (#7856 - @ValentinZakharov)
• ✨🔍 Fix relying on configId for remote config log level tracer flare change (#7788 - @cecile75)

Continuous Integration Visibility

• Add codeowners tag to test suites (#7861 - @daniel-mohedano)
• 🐛 Fix skippable tests request in headless mode (#7860 - @nikita-tkachenko-datadog)
• 🐛 Fix code coverage percentage reporting for Android projects (#7815 - @nikita-tkachenko-datadog)
• Lower log level for duplicate repo index keys warning (#7814 - @nikita-tkachenko-datadog)
• 🐛 Throw exception when using repo index to resolve source path for classes with identical names (#7793 - @nikita-tkachenko-datadog)
• 🐛 Fix automatic coverage includes calculation for headless test sessions (#7784 - @nikita-tkachenko-datadog)
• 🐛 Fix Jacoco coverage exclusion (#7783 - @nikita-tkachenko-datadog)
• 🐛 Fix module name detection for headless sessions (#7779 - @nikita-tkachenko-datadog)

Database Monitoring

• Add _dd.dbm_trace_injected tag to SQL Server prepared statements (#7863 - @nenadnoveljic)
• Add DBM_TRACE_INJECTED tag to SQL Server (#7849 - @nenadnoveljic)

Dynamic Instrumentation

• Make SymDB upload enabled by default for DI (#7869 - @jpbempel)
• Fix Where conversion for CodeOrigin probes (#7858 - @jpbempel)
• Add compression support for SymDB paylods (#7851 - @jpbempel)
• Split SymDB payload when too large (#7838 - @jpbempel)
• Add retry policy for uploading requests to agent (#7824 - @jpbempel)
• ⚡ Avoid exception when capturing fields in jdk16+ (#7774 - @jpbempel)

JMX fetch

• Bump JMXFetch to 0.49.5 (#7853 - @carlosroman)

Profiling

• Do not force-disable TLAB allocation events on JDK 8 (#7878 - @jbachorik)
• Bump ddprof to 1.16.0 (#7871 - @jbachorik)
  • Improve robustness of the crash signal handler by @jbachorik in DataDog/java-profiler#134
  • Remove a looping allocation when updating threads by @r1viollet in DataDog/java-profiler#135
  • Add a fail-safe when we encounter double-exit from crash handler by @jbachorik in DataDog/java-profiler#138
  • Crash handler recursion protection - Fix by @r1viollet in DataDog/java-profiler#139
  • Split java version to 'java version' and 'hotspot version' by @jbachorik in DataDog/java-profiler#142
  • Do not patch jmethodIDs for newer than JDK 8 by @jbachorik in DataDog/java-profiler#148
• Delay queue time rate limiting until event is committed (#7867 - @richardstartin)
• 🐛 Apply rate limit to queue events (#7823 - @richardstartin)
• Unwrap netty writetask (#7822 - @richardstartin)
• ✨⚡ Introduce aggregated smap events (enabled by default) (#7820 - @MattAlp)

Telemetry

• 🐛 Fix telemetry logs default flag (#7833 - @smola)

Tracer core

• 🐛 Prevent NPE setting null span baggage (#7848 - @PerfectSlayer)
• Widen catch blocks to make agent discovery more tolerant (#7796 - @mcculls)
• Fall back to ports when we cannot use auto-discovered unix domain sockets (#7794 - @mcculls)
• Improve isolation of embedded JFFI dependency (#7789 - @mcculls)
• ✨ Support DD_TRACE_<INTEGRATION>_ENABLED (#7718 - @mtoffl01)
• ✨⚠️ Add support for TRACE_HTTP_CLIENT_TAG_QUERY_STRING and change default value of HTTP_CLIENT_TAG_QUERY_STRING to true (#7677 - @mhlidd)
• Propagate AppSec blocking exceptions from bytebuddy supressions (#7516 - @manuel-alvarez-alvarez)

Instrumentations

Apache Spark instrumentation

• 🐛 Fix default value for long-running spans with DJM (#7795 - @paul-laffon-dd)
• Support for kafka lag metrics in spark streaming applications (#7474 - @kr-igor)

AWS SDK instrumentation

• ✨ Extract AWS payload tags (#7811 - @ygree)

JAX-WS instrumentation

• Add Jakarta WebService Instrumentation (#7854 - @jordan-wong)

JDBC instrumentation

• 🐛 Avoid metadata access in driver connect advice for Oracle sharded connections (#7812 - @mcculls)
• 🐛 Do not parse DBInfo when no connection (#7800 - @amarziali)

Kafka instrumentation

• Enabled kafka-clients 3.8+ by default (#7818 - @nayeem-kamal)

Lettuce instrumentation

• ✨ Support lettuce 6.5 (#7876 - @amarziali)

Reactor instrumentation

• ✨ Support reactor context span propagation (#7864 - @amarziali)

Other changes